Knah-Tsaeb/MyShaarli
Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
MyShaarli/doc/md/Reverse-proxy.md
nodiscc add670b8ab
doc: fix mkdocs build warnings/relative links 
INFO    -  Cleaning site directory
INFO    -  Building documentation to directory: /home/live/GIT/Shaarli/doc/html
INFO    -  Doc file 'index.md' contains an unrecognized relative link 'Usage#tag-cloud', it was left
           as is. Did you mean 'Usage.md#tag-cloud'?
INFO    -  Doc file 'index.md' contains an unrecognized relative link 'Usage#picture-wall', it was
           left as is. Did you mean 'Usage.md#picture-wall'?
INFO    -  Doc file 'index.md' contains an unrecognized relative link 'Usage#import-export', it was
           left as is. Did you mean 'Usage.md#import-export'?
INFO    -  Doc file 'Community-and-related-software.md' contains an unrecognized relative link
           'REST-API', it was left as is. Did you mean 'REST-API.md'?
INFO    -  Doc file 'Community-and-related-software.md' contains an unrecognized relative link
           'Theming', it was left as is.
INFO    -  Doc file 'Installation.md' contains an unrecognized relative link
           'dev/Development#third-party-libraries', it was left as is. Did you mean
           'dev/Development.md#third-party-libraries'?
INFO    -  Doc file 'Installation.md' contains an unrecognized relative link
           'Upgrade-and-migration', it was left as is. Did you mean 'Upgrade-and-migration.md'?
INFO    -  Doc file 'Plugins.md' contains an unrecognized relative link 'Shaarli-configuration', it
           was left as is. Did you mean 'Shaarli-configuration.md'?
INFO    -  Doc file 'REST-API.md' contains an unrecognized relative link 'Server-configuration', it
           was left as is. Did you mean 'Server-configuration.md'?
INFO    -  Doc file 'Reverse-proxy.md' contains an unrecognized relative link
           'Shaarli-configuration', it was left as is. Did you mean 'Shaarli-configuration.md'?
INFO    -  Doc file 'Server-configuration.md' contains an unrecognized relative link
           'Directory-structure', it was left as is.
INFO    -  Doc file 'Shaarli-configuration.md' contains an unrecognized relative link
           'Translations', it was left as is.
INFO    -  Doc file 'dev/Development.md' contains an unrecognized relative link 'Unit-tests', it was
           left as is. Did you mean 'Unit-tests.md'?
INFO    -  Doc file 'dev/Development.md' contains an unrecognized relative link 'GnuPG-signature',
           it was left as is. Did you mean 'GnuPG-signature.md'?
INFO    -  Doc file 'dev/GnuPG-signature.md' contains an unrecognized relative link 'Release
           Shaarli', it was left as is.
INFO    -  Doc file 'dev/Theming.md' contains an unrecognized relative link 'Shaarli-configuration',
           it was left as is.
INFO    -  Doc file 'dev/Translations.md' contains an unrecognized relative link 'Theming', it was
           left as is. Did you mean 'Theming.md'?
INFO    -  Documentation built in 0.40 seconds
2023-08-20 23:13:59 +02:00

143 lines
5.1 KiB
Markdown
Raw Blame History

# Reverse proxy
If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
- The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
- The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
- No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
In your [Shaarli configuration](Shaarli-configuration.md) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
## Apache
```apache
<VirtualHost *:80>
ServerName shaarli.mydomain.org
# For SSL/TLS certificates acquired with certbot or self-signed certificates
# Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
RewriteEngine on
RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
#MDomain shaarli.mydomain.org
#MDCertificateAgreement accepted
#MDContactEmail admin@shaarli.mydomain.org
#MDPrivateKeys RSA 4096
<VirtualHost *:443>
ServerName shaarli.mydomain.org
# SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
# Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# SSL/TLS configuration for self-signed certificates
#SSLEngine on
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# let the proxied shaarli server/container know HTTPS URLs should be served
RequestHeader set X-Forwarded-Proto "https"
# send the original SERVER_NAME to the proxied host
ProxyPreserveHost On
# pass requests to the proxied host
# sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
ProxyPass / http://127.0.0.1:10080/
ProxyPassReverse / http://127.0.0.1:10080/
</VirtualHost>
```
## HAProxy
```conf
global
[...]
defaults
[...]
frontend http-in
bind :80
redirect scheme https code 301 if !{ ssl_fc }
bind :443 ssl crt /path/to/cert.pem
default_backend shaarli
backend shaarli
mode http
option http-server-close
option forwardfor
reqadd X-Forwarded-Proto: https
server shaarli1 127.0.0.1:10080
```
- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
## Nginx
```nginx
http {
[...]
index index.html index.php;
root /home/john/web;
access_log /var/log/nginx/access.log combined;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name shaarli.mydomain.org;
# redirect HTTP to HTTPS
return 301 https://shaarli.mydomain.org$request_uri;
}
server {
listen 443 ssl http2;
server_name shaarli.mydomain.org;
ssl_certificate /path/to/certificate
ssl_certificate_key /path/to/private/key
# if shaarli is installed in a subdirectory of the main domain, edit the location accordingly
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
# pass requests to the proxied host
proxy_pass http://localhost:10080/;
proxy_set_header Host $host;
proxy_connect_timeout 30s;
proxy_read_timeout 120s;
}
}
}
```
## References
- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
Reference in a new issue View git blame Copy permalink